Sign in with
Sign up | Sign in
Your question

Trojan and/or adware on my system which i can't remove

Tags:
  • Security
  • Desktops
  • Windows XP
Last response: in Windows XP
Share
Anonymous
a b 8 Security
May 19, 2005 6:48:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi,
My system has developed a prolem. Unwanted ads keep popping up for all
sorts of trash, even when i'm not online. After i've closed the ads they
occasionally leave icons on my desktop. Also my desktop went blue with a
security warning in the middle about trojans & spyware on the system telling
me to install a program called security iguard (which i didn't). I've
managed to get rid of this (although i still can't get it to change from
blue) but now a flashing icon appears on the desktop toolbar with messages
about how my system is infected and telling me to install one security
program or another.

I'm on XP professional and when this started i only had the windows standard
firewall and McAfee Virus scan. I've now upgraded to the full McAfee
Internet Security package incl firewall. I've run both adaware and spybot,
both in safe mode and normal mode, and i've turned off system restore while i
was doing all those things. The new Mcafee package picked up a trojan and
deleted it but after all of the above the problem still persists.

Any advice please?

More about : trojan adware system remove

May 19, 2005 9:38:58 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

BrundleFly wrote:

> Hi,
> My system has developed a prolem. Unwanted ads keep popping up for
> all
> sorts of trash, even when i'm not online. After i've closed the ads
> they
> occasionally leave icons on my desktop. Also my desktop went blue
> with a security warning in the middle about trojans & spyware on the
> system telling
> me to install a program called security iguard (which i didn't). I've
> managed to get rid of this (although i still can't get it to change
> from blue) but now a flashing icon appears on the desktop toolbar with
> messages about how my system is infected and telling me to install one
> security program or another.
>
> I'm on XP professional and when this started i only had the windows
> standard
> firewall and McAfee Virus scan. I've now upgraded to the full McAfee
> Internet Security package incl firewall. I've run both adaware and
> spybot, both in safe mode and normal mode, and i've turned off system
> restore while i
> was doing all those things. The new Mcafee package picked up a trojan
> and deleted it but after all of the above the problem still persists.
>
> Any advice please?

If you are still getting popups, then your system is still infected.
Since you've already run Ad-aware and Spybot (presumably the latest
versions with updated definitions) in Safe Mode, move on to HijackThis
and post your log at one of the HijackThis forums (not here, please).
Here is information about HijackThis:

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
http://www.spywareinfo.com/forums/

Malke
--
MS-MVP Windows User/Shell
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"
Anonymous
a b 8 Security
May 19, 2005 9:55:31 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks Malke,
I'll try that. When you say my system is still infected, does it sound like
it is a trojan or just adware? If it's a trojan, what can this do to my
system and its security? presumably it's not safe to do things like internet
banking etc?

Thanks again buddy!


"Malke" wrote:

> BrundleFly wrote:
>
> > Hi,
> > My system has developed a prolem. Unwanted ads keep popping up for
> > all
> > sorts of trash, even when i'm not online. After i've closed the ads
> > they
> > occasionally leave icons on my desktop. Also my desktop went blue
> > with a security warning in the middle about trojans & spyware on the
> > system telling
> > me to install a program called security iguard (which i didn't). I've
> > managed to get rid of this (although i still can't get it to change
> > from blue) but now a flashing icon appears on the desktop toolbar with
> > messages about how my system is infected and telling me to install one
> > security program or another.
> >
> > I'm on XP professional and when this started i only had the windows
> > standard
> > firewall and McAfee Virus scan. I've now upgraded to the full McAfee
> > Internet Security package incl firewall. I've run both adaware and
> > spybot, both in safe mode and normal mode, and i've turned off system
> > restore while i
> > was doing all those things. The new Mcafee package picked up a trojan
> > and deleted it but after all of the above the problem still persists.
> >
> > Any advice please?
>
> If you are still getting popups, then your system is still infected.
> Since you've already run Ad-aware and Spybot (presumably the latest
> versions with updated definitions) in Safe Mode, move on to HijackThis
> and post your log at one of the HijackThis forums (not here, please).
> Here is information about HijackThis:
>
> http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
> Eshelman
> http://aumha.net - forums
> http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
> forum
> http://www.wilderssecurity.com/
> http://forums.tomcoyote.org/
> http://www.spywareinfo.com/forums/
>
> Malke
> --
> MS-MVP Windows User/Shell
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic"
>
Related resources
Can't find your answer ? Ask !
Anonymous
a b 8 Security
May 19, 2005 10:04:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi

Was interested in your problem and in particular whether you found a
solution - I too have had something 'infect' my system (running on Windows
XP) which has taken over by desktop - first of all it went blue and now it
changes colour occasionally!! - did you find a solution and, if so, what was
it ?

Thanks

"BrundleFly" wrote:

> Hi,
> My system has developed a prolem. Unwanted ads keep popping up for all
> sorts of trash, even when i'm not online. After i've closed the ads they
> occasionally leave icons on my desktop. Also my desktop went blue with a
> security warning in the middle about trojans & spyware on the system telling
> me to install a program called security iguard (which i didn't). I've
> managed to get rid of this (although i still can't get it to change from
> blue) but now a flashing icon appears on the desktop toolbar with messages
> about how my system is infected and telling me to install one security
> program or another.
>
> I'm on XP professional and when this started i only had the windows standard
> firewall and McAfee Virus scan. I've now upgraded to the full McAfee
> Internet Security package incl firewall. I've run both adaware and spybot,
> both in safe mode and normal mode, and i've turned off system restore while i
> was doing all those things. The new Mcafee package picked up a trojan and
> deleted it but after all of the above the problem still persists.
>
> Any advice please?
>
Anonymous
a b 8 Security
May 19, 2005 10:14:05 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi,
If you haven't already, run ad-aware & spybot. if they still don't work, as
they didn't for me, see Malke's reponse above. I haven't tried it yet
because he only posted it a few minutes ago. I'll be trying it when i get
home so i'll let you know tomorrow if it's successful. If it's not, i think
i'm just going to format the hard disk which you could also do if you're
prepared to back-up or lose everything on there for the peace of mind of a
clean system.

Are you getting ad pop-ups coming up aswell by the way? Let me know if you
find a way to fix the problem as it's driving me crazy now!

Good luck!

"DazandBella" wrote:

> Hi
>
> Was interested in your problem and in particular whether you found a
> solution - I too have had something 'infect' my system (running on Windows
> XP) which has taken over by desktop - first of all it went blue and now it
> changes colour occasionally!! - did you find a solution and, if so, what was
> it ?
>
> Thanks
>
> "BrundleFly" wrote:
>
> > Hi,
> > My system has developed a prolem. Unwanted ads keep popping up for all
> > sorts of trash, even when i'm not online. After i've closed the ads they
> > occasionally leave icons on my desktop. Also my desktop went blue with a
> > security warning in the middle about trojans & spyware on the system telling
> > me to install a program called security iguard (which i didn't). I've
> > managed to get rid of this (although i still can't get it to change from
> > blue) but now a flashing icon appears on the desktop toolbar with messages
> > about how my system is infected and telling me to install one security
> > program or another.
> >
> > I'm on XP professional and when this started i only had the windows standard
> > firewall and McAfee Virus scan. I've now upgraded to the full McAfee
> > Internet Security package incl firewall. I've run both adaware and spybot,
> > both in safe mode and normal mode, and i've turned off system restore while i
> > was doing all those things. The new Mcafee package picked up a trojan and
> > deleted it but after all of the above the problem still persists.
> >
> > Any advice please?
> >
Anonymous
a b 8 Security
May 19, 2005 10:23:17 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi

Yes I've run Spybot and Adaware (many times) - to be honest the pop up boxes
aren't too bad (ie not that may) - its the fact that the desktop has been
taken over and my own desktop picture has been shoved out of the way. Let me
know how you get on with your solution and I'll have a look at HijackThis
also.

Cheers

Daz

"BrundleFly" wrote:

> Hi,
> If you haven't already, run ad-aware & spybot. if they still don't work, as
> they didn't for me, see Malke's reponse above. I haven't tried it yet
> because he only posted it a few minutes ago. I'll be trying it when i get
> home so i'll let you know tomorrow if it's successful. If it's not, i think
> i'm just going to format the hard disk which you could also do if you're
> prepared to back-up or lose everything on there for the peace of mind of a
> clean system.
>
> Are you getting ad pop-ups coming up aswell by the way? Let me know if you
> find a way to fix the problem as it's driving me crazy now!
>
> Good luck!
>
> "DazandBella" wrote:
>
> > Hi
> >
> > Was interested in your problem and in particular whether you found a
> > solution - I too have had something 'infect' my system (running on Windows
> > XP) which has taken over by desktop - first of all it went blue and now it
> > changes colour occasionally!! - did you find a solution and, if so, what was
> > it ?
> >
> > Thanks
> >
> > "BrundleFly" wrote:
> >
> > > Hi,
> > > My system has developed a prolem. Unwanted ads keep popping up for all
> > > sorts of trash, even when i'm not online. After i've closed the ads they
> > > occasionally leave icons on my desktop. Also my desktop went blue with a
> > > security warning in the middle about trojans & spyware on the system telling
> > > me to install a program called security iguard (which i didn't). I've
> > > managed to get rid of this (although i still can't get it to change from
> > > blue) but now a flashing icon appears on the desktop toolbar with messages
> > > about how my system is infected and telling me to install one security
> > > program or another.
> > >
> > > I'm on XP professional and when this started i only had the windows standard
> > > firewall and McAfee Virus scan. I've now upgraded to the full McAfee
> > > Internet Security package incl firewall. I've run both adaware and spybot,
> > > both in safe mode and normal mode, and i've turned off system restore while i
> > > was doing all those things. The new Mcafee package picked up a trojan and
> > > deleted it but after all of the above the problem still persists.
> > >
> > > Any advice please?
> > >
Anonymous
a b 8 Security
May 19, 2005 2:00:11 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "BrundleFly" <BrundleFly@discussions.microsoft.com>

| Hi,
| My system has developed a prolem. Unwanted ads keep popping up for all
| sorts of trash, even when i'm not online. After i've closed the ads they
| occasionally leave icons on my desktop. Also my desktop went blue with a
| security warning in the middle about trojans & spyware on the system telling
| me to install a program called security iguard (which i didn't). I've
| managed to get rid of this (although i still can't get it to change from
| blue) but now a flashing icon appears on the desktop toolbar with messages
| about how my system is infected and telling me to install one security
| program or another.
|
| I'm on XP professional and when this started i only had the windows standard
| firewall and McAfee Virus scan. I've now upgraded to the full McAfee
| Internet Security package incl firewall. I've run both adaware and spybot,
| both in safe mode and normal mode, and i've turned off system restore while i
| was doing all those things. The new Mcafee package picked up a trojan and
| deleted it but after all of the above the problem still persists.
|
| Any advice please?

What are versions of Ad-aware and SpyBot S&D ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
a b 8 Security
May 19, 2005 2:00:12 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Dave,
I'm not sure as it is on my computer at home and i'm at work, i'll check
later and get back to you.

But i only downloaded them a couple of days ago and i updated them yesterday
aswell so should be the latest versions.

"David H. Lipman" wrote:

> From: "BrundleFly" <BrundleFly@discussions.microsoft.com>
>
> | Hi,
> | My system has developed a prolem. Unwanted ads keep popping up for all
> | sorts of trash, even when i'm not online. After i've closed the ads they
> | occasionally leave icons on my desktop. Also my desktop went blue with a
> | security warning in the middle about trojans & spyware on the system telling
> | me to install a program called security iguard (which i didn't). I've
> | managed to get rid of this (although i still can't get it to change from
> | blue) but now a flashing icon appears on the desktop toolbar with messages
> | about how my system is infected and telling me to install one security
> | program or another.
> |
> | I'm on XP professional and when this started i only had the windows standard
> | firewall and McAfee Virus scan. I've now upgraded to the full McAfee
> | Internet Security package incl firewall. I've run both adaware and spybot,
> | both in safe mode and normal mode, and i've turned off system restore while i
> | was doing all those things. The new Mcafee package picked up a trojan and
> | deleted it but after all of the above the problem still persists.
> |
> | Any advice please?
>
> What are versions of Ad-aware and SpyBot S&D ?
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>
Anonymous
a b 8 Security
May 19, 2005 2:47:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "BrundleFly" <BrundleFly@discussions.microsoft.com>

| Hi Dave,
| I'm not sure as it is on my computer at home and i'm at work, i'll check
| later and get back to you.
|
| But i only downloaded them a couple of days ago and i updated them yesterday
| aswell so should be the latest versions.

OK. Just wanted to make sure as many still use Ad-aware6 and earlier versions of SpyBot S&D
than v1.3.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Anonymous
a b 8 Security
May 19, 2005 6:51:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Malke,
I've those forum links you gave me, they don't seem to be sending me the
activation e-mail though. I've posted my HijackThis log below in case you or
anyone else can help me fix it. Thanks.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\system32\intmonp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.qfind.net/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://qfind.net/bar/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.qfind.net/search.php?qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
http://www.qfind.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.blueyonder.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} -
c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} -
c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -
c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe
/startup
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe"
/checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program
Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper -
{F5D4D416-51D9-45E7-BD9D-D1255026AD5E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{F5D4D416-51D9-45E7-BD9D-D1255026AD5E} - (no file) (HKCU)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating
System Class) -
http://download.mcafee.com/molbin/shared/mcinsctl/en-gb...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Cont...
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/...
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cancerbacup.org
O17 - HKLM\Software\..\Telephony: DomainName = cancerbacup.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cancerbacup.org
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee,
Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) -
McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee
Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. -
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe





"Malke" wrote:

> BrundleFly wrote:
>
> > Hi,
> > My system has developed a prolem. Unwanted ads keep popping up for
> > all
> > sorts of trash, even when i'm not online. After i've closed the ads
> > they
> > occasionally leave icons on my desktop. Also my desktop went blue
> > with a security warning in the middle about trojans & spyware on the
> > system telling
> > me to install a program called security iguard (which i didn't). I've
> > managed to get rid of this (although i still can't get it to change
> > from blue) but now a flashing icon appears on the desktop toolbar with
> > messages about how my system is infected and telling me to install one
> > security program or another.
> >
> > I'm on XP professional and when this started i only had the windows
> > standard
> > firewall and McAfee Virus scan. I've now upgraded to the full McAfee
> > Internet Security package incl firewall. I've run both adaware and
> > spybot, both in safe mode and normal mode, and i've turned off system
> > restore while i
> > was doing all those things. The new Mcafee package picked up a trojan
> > and deleted it but after all of the above the problem still persists.
> >
> > Any advice please?
>
> If you are still getting popups, then your system is still infected.
> Since you've already run Ad-aware and Spybot (presumably the latest
> versions with updated definitions) in Safe Mode, move on to HijackThis
> and post your log at one of the HijackThis forums (not here, please).
> Here is information about HijackThis:
>
> http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
> Eshelman
> http://aumha.net - forums
> http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
> forum
> http://www.wilderssecurity.com/
> http://forums.tomcoyote.org/
> http://www.spywareinfo.com/forums/
>
> Malke
> --
> MS-MVP Windows User/Shell
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic"
>
Anonymous
a b 8 Security
May 20, 2005 5:03:27 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Brundle,
My friend had this trojan a couple of weeks ago and this is how I
helped him to get rid of the Trojan-spy.HTML -->
http://elamb.blogharbor.com/hacked/removesmithfraud.htm

More on computer Security:
elamb.org


BrundleFly wrote:
> Hi Malke,
> I've those forum links you gave me, they don't seem to be sending me
the
> activation e-mail though. I've posted my HijackThis log below in
case you or
> anyone else can help me fix it. Thanks.
>
> Running processes:
> C:\WINDOWS\System32\smss.exe
> C:\WINDOWS\system32\winlogon.exe
> C:\WINDOWS\system32\services.exe
> C:\WINDOWS\system32\lsass.exe
> C:\WINDOWS\system32\svchost.exe
> C:\WINDOWS\System32\svchost.exe
> C:\WINDOWS\system32\spoolsv.exe
> c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
> C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
> C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
> c:\PROGRA~1\mcafee.com\vso\mcshield.exe
> C:\WINDOWS\Explorer.EXE
> C:\WINDOWS\system32\msole32.exe
> C:\WINDOWS\popuper.exe
> C:\WINDOWS\system32\intmonp.exe
> C:\WINDOWS\System32\hkcmd.exe
> C:\PROGRA~1\mcafee.com\agent\mcagent.exe
> C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
> C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
> C:\WINDOWS\system32\wuauclt.exe
> C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
> C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
> C:\WINDOWS\system32\ctfmon.exe
> C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
> C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
> C:\Program Files\WinZip\WZQKPICK.EXE
> C:\Program Files\blueyonder IST\bin\mpbtn.exe
> C:\Documents and Settings\Administrator\Local
Settings\Temp\HijackThis.exe
>
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
=
> http://www.qfind.net/
> R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
> http://www.qfind.net/search.php?qq=%s
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://www.google.co.uk/
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
> http://qfind.net/bar/index.html
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
> http://www.qfind.net/
> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
> http://www.qfind.net/search.php?qq=%s
> R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
> http://www.qfind.net/
> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
> http://www.qfind.net/
> R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
> http://www.blueyonder.co.uk/
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Internet
> Explorer Provided by blueyonder
> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings,ProxyOverride = 127.0.0.1
> O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
> C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
> O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E}
-
> c:\program files\mcafee.com\mps\mcbrhlpr.dll
> O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22}
-
> c:\program files\mcafee.com\mps\popupkiller.dll
> O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
> C:\PROGRA~1\SPYBOT~1\SDHelper.dll
> O3 - Toolbar: McAfee VirusScan -
{BA52B914-B692-46c4-B683-905236F6F655} -
> c:\progra~1\mcafee.com\vso\mcvsshl.dll
> O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
> O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
> O4 - HKLM\..\Run: [MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
> O4 - HKLM\..\Run: [MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
> O4 - HKLM\..\Run: [MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
> O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe
/embedding
> O4 - HKLM\..\Run: [MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
> O4 - HKLM\..\Run: [MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe
> /startup
> O4 - HKLM\..\Run: [VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe"
> /checktask
> O4 - HKLM\..\Run: [VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
> O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
> O4 - HKCU\..\Run: [MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
> O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
> Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
> O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program

> Files\blueyonder IST\bin\matcli.exe
> O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
> Files\WinZip\WZQKPICK.EXE
> O8 - Extra context menu item: E&xport to Microsoft Excel -
> res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263}
-
> C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
-
> C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger -
> {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
> O9 - Extra button: Microsoft AntiSpyware helper -
> {F5D4D416-51D9-45E7-BD9D-D1255026AD5E} - (no file) (HKCU)
> O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
> {F5D4D416-51D9-45E7-BD9D-D1255026AD5E} - (no file) (HKCU)
> O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com
Operating
> System Class) -
>
http://download.mcafee.com/molbin/shared/mcinsctl/en-gb...
> O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl
Class) -
>
http://v5.windowsupdate.microsoft.com/v5consumer/V5Cont...
> O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr
Class) -
>
http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/...
> O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
cancerbacup.org
> O17 - HKLM\Software\..\Telephony: DomainName = cancerbacup.org
> O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
cancerbacup.org
> O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
> O23 - Service: McAfee.com McShield (McShield) - Unknown owner -
> c:\PROGRA~1\mcafee.com\vso\mcshield.exe
> O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) -
McAfee,
> Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
> O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte)
-
> McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
> O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee

> Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
> O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. -
> C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
>
>
>
>
>
> "Malke" wrote:
>
> > BrundleFly wrote:
> >
> > > Hi,
> > > My system has developed a prolem. Unwanted ads keep popping up
for
> > > all
> > > sorts of trash, even when i'm not online. After i've closed the
ads
> > > they
> > > occasionally leave icons on my desktop. Also my desktop went
blue
> > > with a security warning in the middle about trojans & spyware on
the
> > > system telling
> > > me to install a program called security iguard (which i didn't).
I've
> > > managed to get rid of this (although i still can't get it to
change
> > > from blue) but now a flashing icon appears on the desktop toolbar
with
> > > messages about how my system is infected and telling me to
install one
> > > security program or another.
> > >
> > > I'm on XP professional and when this started i only had the
windows
> > > standard
> > > firewall and McAfee Virus scan. I've now upgraded to the full
McAfee
> > > Internet Security package incl firewall. I've run both adaware
and
> > > spybot, both in safe mode and normal mode, and i've turned off
system
> > > restore while i
> > > was doing all those things. The new Mcafee package picked up a
trojan
> > > and deleted it but after all of the above the problem still
persists.
> > >
> > > Any advice please?
> >
> > If you are still getting popups, then your system is still
infected.
> > Since you've already run Ad-aware and Spybot (presumably the latest
> > versions with updated definitions) in Safe Mode, move on to
HijackThis
> > and post your log at one of the HijackThis forums (not here,
please).
> > Here is information about HijackThis:
> >
> > http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
> > Eshelman
> > http://aumha.net - forums
> > http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior
HijackThis
> > forum
> > http://www.wilderssecurity.com/
> > http://forums.tomcoyote.org/
> > http://www.spywareinfo.com/forums/
> >
> > Malke
> > --
> > MS-MVP Windows User/Shell
> > Elephant Boy Computers
> > www.elephantboycomputers.com
> > "Don't Panic"
> >
Anonymous
a b 8 Security
May 23, 2005 5:28:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Daz,
I've now got my system sorted, thanks to the advice from Malke and
especially the guys at the forum he directed me to. Here's a link to the
thread to see how it worked but start your own and they'll tell you exactly
what files to remove etc.

http://aumha.net/viewtopic.php?p=81593#81593


"DazandBella" wrote:

> Hi
>
> Yes I've run Spybot and Adaware (many times) - to be honest the pop up boxes
> aren't too bad (ie not that may) - its the fact that the desktop has been
> taken over and my own desktop picture has been shoved out of the way. Let me
> know how you get on with your solution and I'll have a look at HijackThis
> also.
>
> Cheers
>
> Daz
>
> "BrundleFly" wrote:
>
> > Hi,
> > If you haven't already, run ad-aware & spybot. if they still don't work, as
> > they didn't for me, see Malke's reponse above. I haven't tried it yet
> > because he only posted it a few minutes ago. I'll be trying it when i get
> > home so i'll let you know tomorrow if it's successful. If it's not, i think
> > i'm just going to format the hard disk which you could also do if you're
> > prepared to back-up or lose everything on there for the peace of mind of a
> > clean system.
> >
> > Are you getting ad pop-ups coming up aswell by the way? Let me know if you
> > find a way to fix the problem as it's driving me crazy now!
> >
> > Good luck!
> >
> > "DazandBella" wrote:
> >
> > > Hi
> > >
> > > Was interested in your problem and in particular whether you found a
> > > solution - I too have had something 'infect' my system (running on Windows
> > > XP) which has taken over by desktop - first of all it went blue and now it
> > > changes colour occasionally!! - did you find a solution and, if so, what was
> > > it ?
> > >
> > > Thanks
> > >
> > > "BrundleFly" wrote:
> > >
> > > > Hi,
> > > > My system has developed a prolem. Unwanted ads keep popping up for all
> > > > sorts of trash, even when i'm not online. After i've closed the ads they
> > > > occasionally leave icons on my desktop. Also my desktop went blue with a
> > > > security warning in the middle about trojans & spyware on the system telling
> > > > me to install a program called security iguard (which i didn't). I've
> > > > managed to get rid of this (although i still can't get it to change from
> > > > blue) but now a flashing icon appears on the desktop toolbar with messages
> > > > about how my system is infected and telling me to install one security
> > > > program or another.
> > > >
> > > > I'm on XP professional and when this started i only had the windows standard
> > > > firewall and McAfee Virus scan. I've now upgraded to the full McAfee
> > > > Internet Security package incl firewall. I've run both adaware and spybot,
> > > > both in safe mode and normal mode, and i've turned off system restore while i
> > > > was doing all those things. The new Mcafee package picked up a trojan and
> > > > deleted it but after all of the above the problem still persists.
> > > >
> > > > Any advice please?
> > > >
!